
Article 1 
Regulation (EC) No 1663/95 is amended as follows:

1.. Article 1 is amended as follows:

((a)) In the second phrase of the second subparagraph of paragraph 3, the terms ‘the security of computer systems’ are replaced by the terms ‘the security of information system’.
((b)) In the first subparagraph of paragraph 7, the following indent is added:
'
— the provisions concerning the security of information systems'.
2.. In Article 3(1), the following subparagraphs are added:
'As of financial year 2008 at the latest, the certifying body shall further provide, before the date referred to in the third subparagraph, a statement as to the information systems security measures put in place by the paying agency. The statement shall be based on a version applicable in the financial year concerned of the chosen internationally accepted security standards referred to in point 6(vi) of the Annex to this Regulation, serving as the basis for the security measures, and shall indicate whether, for the financial year concerned, effective security measures were in place.For the financial years preceding that for which the first statement on the security of the paying agency’s information systems is drawn up, the certifying body shall, in its report of its findings, include comments and provisional conclusions, using a scoring mechanism, as to the information systems security measures put in place by the paying agency. The report shall be based on a version applicable in the financial year concerned of the chosen internationally accepted security standards referred to in point 6(vi) of the Annex to the present Regulation, serving as the basis for the security measures, and shall indicate as to what extent, for the financial year concerned, effective security measures were in place'.
3.. Article 4(2) is replaced by the following:
'
2. The documents and the accounting information referred to in paragraph 1 shall be sent to the Commission by 10 February of the year following the end of the financial year which it concerns. The documents referred to in points (a) and (b) of paragraph 1 shall be sent in one copy together with an electronic copy'.
4.. The Annex is amended in accordance with the Annex to this Regulation.
Article 2 
This Regulation shall enter into force on the seventh day following that of its publication in the Official Journal of the European Union.
It shall apply for the first time in respect of the financial year beginning 16 October 2004.
This Regulation shall be binding in its entirety and directly applicable in all Member States.Done at Brussels, 22 March 2005.
For the Commission
Mariann FISCHER BOEL
Member of the Commission
ANNEX

The Annex to Regulation (EC) No 1663/95 is amended as follows:

1.. Point 2(iii) is replaced by the following:
'
((iii)) Accounting for payment: the objective of this function is the recording of the payment in the agency’s separate books of account of EAGGF expenditure, which will normally be in the form of an information system, and the preparation of periodic summaries of expenditure, including the monthly and annual declarations to the Commission. The books of account also record the assets financed by the Fund, in particular concerning intervention stocks, uncleared advances and debtors.'
2.. In the introductory phrase of point 4, the terms ‘and/or the technical service’ are replaced by the terms ‘, technical service, and/or information systems management’.
3.. Point 6(vi) is replaced by the following:
'
((vi)) Information systems security shall be based on the criteria laid down in a version applicable in the financial year concerned of one of the following internationally accepted standards:

— International Standards Organisation 17799/British Standard 7799: Code of practice for Information Security Management (BS ISO/IEC 17799),
— Bundesamt für Sicherheit in der Informationstechnik: IT-Grundschutzhandbuch/IT Baseline Protection Manual (BSI),
— Information Systems Audit and Control Foundation: Control Objectives for Information and related Technology (COBIT).
The paying agency shall choose one of the international standards referred to in the first subparagraph as the basis for its information systems security.
Security measures should be adapted to the administrative structure, staffing and technological environment of each individual paying agency. The financial and technological effort should be in proportion to the actual risks presented.'
